<?php

defined('BASEPATH') OR exit('No direct script access allowed');

/**
 * CodeIgniter Rest Controller
 *
 * A fully RESTful server implementation for CodeIgniter using one library, one config file and one controller.
 *
 * @package        	CodeIgniter
 * @subpackage    	Libraries
 * @category    	Libraries
 * @author        	Phil Sturgeon
 * @license         http://philsturgeon.co.uk/code/dbad-license
 * @link			https://github.com/philsturgeon/codeigniter-restserver
 * @version 		2.6.2
 */
abstract class REST_Controller extends CMS_Controller {

    /**
     * This defines the rest format.
     *
     * Must be overridden it in a controller so that it is set.
     *
     * @var string|null
     */
    protected $rest_format = NULL;

    /**
     * Defines the list of method properties such as limit, log and level
     *
     * @var array
     */
    protected $methods = array();

    /**
     * List of allowed HTTP methods
     *
     * @var array
     */
    protected $allowed_http_methods = array('get', 'delete', 'post', 'put');

    /**
     * General request data and information.
     * Stores accept, language, body, headers, etc.
     *
     * @var object
     */
    protected $request = NULL;

    /**
     * What is gonna happen in output?
     *
     * @var object
     */
    protected $response = NULL;

    /**
     * Stores DB, keys, key level, etc
     *
     * @var object
     */
    protected $rest = NULL;

    /**
     * The arguments for the GET request method
     *
     * @var array
     */
    protected $_get_args = array();

    /**
     * The arguments for the POST request method
     *
     * @var array
     */
    protected $_post_args = array();

    /**
     * The arguments for the PUT request method
     *
     * @var array
     */
    protected $_put_args = array();

    /**
     * The arguments for the DELETE request method
     *
     * @var array
     */
    protected $_delete_args = array();

    /**
     * The arguments from GET, POST, PUT, DELETE request methods combined.
     *
     * @var array
     */
    protected $_args = array();

    /**
     * If the request is allowed based on the API key provided.
     *
     * @var boolean
     */
    protected $_allow = TRUE;

    /**
     * Determines if output compression is enabled
     *
     * @var boolean
     */
    protected $_zlib_oc = FALSE;

    /**
     * The LDAP Distinguished Name of the User post authentication
     *
     * @var string
     */
    protected $_user_ldap_dn = '';

    /**
     * List all supported methods, the first will be the default format
     *
     * @var array
     */
    protected $_supported_formats = array(
        'xml' => 'application/xml',
        'json' => 'application/json',
        'jsonp' => 'application/javascript',
        'serialized' => 'application/vnd.php.serialized',
        'php' => 'text/plain',
        'html' => 'text/html',
        'csv' => 'application/csv'
    );
    
//    protected $_supported_formats = array(
//        'xml' => 'application/xml',
//        'json' => 'application/json',
//        'jsonp' => 'application/javascript'
//    );

    /**
     * Developers can extend this class and add a check in here.
     */
    protected function early_checks()
    {
        
    }

    /**
     * Constructor function
     * @todo Document more please.
     */
    public function __construct()
    {
        parent::__construct();

        $this->_zlib_oc = @ini_get('zlib.output_compression');

        // Lets grab the config and get ready to party
        $this->load->config('rest');

        // let's learn about the request
        $this->request = new stdClass();

        // Is it over SSL?
        $this->request->ssl = $this->_detect_ssl();

        // How is this request being made? POST, DELETE, GET, PUT?
        $this->request->method = $this->_detect_method();

        // Create argument container, if nonexistent
        if (!isset($this->{'_' . $this->request->method . '_args'}))
        {
            $this->{'_' . $this->request->method . '_args'} = array();
        }

        // Set up our GET variables
        $this->_get_args = array_merge($this->_get_args, $this->uri->ruri_to_assoc());

//		$this->load->library('security');
        $this->load->helper('security');

        // This library is bundled with REST_Controller 2.5+, but will eventually be part of CodeIgniter itself
        $this->load->library('format');

        // Try to find a format for the request (means we have a request body)
        $this->request->format = $this->_detect_input_format();

        // Some Methods cant have a body
        $this->request->body = NULL;

        $this->{'_parse_' . $this->request->method}();

        // Now we know all about our request, let's try and parse the body if it exists
        if ($this->request->format and $this->request->body)
        {
            $this->request->body = $this->format->factory($this->request->body, $this->request->format)->to_array();
            // Assign payload arguments to proper method container
            $this->{'_' . $this->request->method . '_args'} = $this->request->body;
        }

        // Merge both for one mega-args variable
        $this->_args = array_merge($this->_get_args, $this->_put_args, $this->_post_args, $this->_delete_args, $this->{'_' . $this->request->method . '_args'});

        // Which format should the data be returned in?
        $this->response = new stdClass();
        $this->response->format = $this->_detect_output_format();

        // Which format should the data be returned in?
        $this->response->lang = $this->_detect_lang();

        // Developers can extend this class and add a check in here
        $this->early_checks();

        // Check if there is a specific auth type for the current class/method
        $this->auth_override = $this->_auth_override_check();

        // When there is no specific override for the current class/method, use the default auth value set in the config
        if ($this->auth_override !== TRUE)
        {
            if ($this->config->item('rest_auth') == 'basic')
            {
                $this->_prepare_basic_auth();
            } elseif ($this->config->item('rest_auth') == 'digest')
            {
                $this->_prepare_digest_auth();
            } elseif ($this->config->item('rest_ip_whitelist_enabled'))
            {
                $this->_check_whitelist_auth();
            }
        }

        $this->rest = new StdClass();
        // Load DB if its enabled
        if (config_item('rest_database_group') AND (config_item('rest_enable_keys') OR config_item('rest_enable_logging')))
        {
            $this->rest->db = $this->load->database(config_item('rest_database_group'), TRUE);
        }

        // Use whatever database is in use (isset returns false)
        elseif (@$this->db)
        {
            $this->rest->db = $this->db;
        }

        // Checking for keys? GET TO WORK!
        if (config_item('rest_enable_keys'))
        {
            $this->_allow = $this->_detect_api_key();
        }

        // only allow ajax requests
        if (!$this->input->is_ajax_request() AND config_item('rest_ajax_only'))
        {
//            $this->response(array('status' => false, 'error' => 'Only AJAX requests are accepted.'), 505);
            $this->response(array('status' => 'failed', 'code' => '505', 'message' => 'Only AJAX requests are accepted.'), 505);
        }
    }

    /**
     * Remap
     *
     * Requests are not made to methods directly, the request will be for
     * an "object". This simply maps the object and method to the correct
     * Controller method.
     *
     * @param string $object_called
     * @param array $arguments The arguments passed to the controller method.
     */
    public function _remap($object_called, $arguments)
    {
        // Should we answer if not over SSL?
        if (config_item('force_https') AND !$this->_detect_ssl())
        {
//            $this->response(array('status' => false, 'error' => 'Unsupported protocol'), 403);
            $this->response(array('status' => 'failed', 'code' => '403', 'message' => 'Unsupported protocol.'), 403);
        }

        $pattern = '/^(.*)\.(' . implode('|', array_keys($this->_supported_formats)) . ')$/';
        if (preg_match($pattern, $object_called, $matches))
        {
            $object_called = $matches[1];
        }

        $controller_method = $object_called . '_' . $this->request->method;

        // Do we want to log this method (if allowed by config)?
        $log_method = !(isset($this->methods[$controller_method]['log']) AND $this->methods[$controller_method]['log'] == FALSE);

        // Use keys for this method?
        $use_key = !(isset($this->methods[$controller_method]['key']) AND $this->methods[$controller_method]['key'] == FALSE);

        // Get that useless shitty key out of here
        if (config_item('rest_enable_keys') AND $use_key AND $this->_allow === FALSE)
        {
            if (config_item('rest_enable_logging') AND $log_method)
            {
                $this->_log_request();
            }

//            $this->response(array('status' => false, 'error' => 'Invalid API Key.'), 403);
            $this->response(array('status' => 'failed', 'code' => '403', 'message' => 'Invalid API key.'), 403);
            
        }

        // Sure it exists, but can they do anything with it?
        if (!method_exists($this, $controller_method))
        {
//            $this->response(array('status' => false, 'error' => 'Unknown method.'), 404);
            $this->response(array('status' => 'failed', 'code' => '404', 'message' => 'Unknown method.'), 404);
        }

        // Doing key related stuff? Can only do it if they have a key right?
        if (config_item('rest_enable_keys') AND !empty($this->rest->key))
        {
            // Check the limit
            if (config_item('rest_enable_limits') AND !$this->_check_limit($controller_method))
            {
//                $this->response(array('status' => false, 'error' => 'This API key has reached the hourly limit for this method.'), 401);
                $this->response(array('status' => 'failed', 'code' => '401', 'message' => 'This API key has reached the hourly limit for this method.'), 401);
            }

            // If no level is set use 0, they probably aren't using permissions
            $level = isset($this->methods[$controller_method]['level']) ? $this->methods[$controller_method]['level'] : 0;

            // If no level is set, or it is lower than/equal to the key's level
            $authorized = $level <= $this->rest->level;

            // IM TELLIN!
            if (config_item('rest_enable_logging') AND $log_method)
            {
                $this->_log_request($authorized);
            }

            // They don't have good enough perms
//            $authorized OR $this->response(array('status' => false, 'error' => 'This API key does not have enough permissions.'), 401);
            $authorized OR $this->response(array('status' => 'failed', 'code' => '401', 'message' => 'This API key does not have enough permissions.'), 401);
        }

        // No key stuff, but record that stuff is happening
        else if (config_item('rest_enable_logging') AND $log_method)
        {
            $this->_log_request($authorized = TRUE);
        }

        // And...... GO!
        $this->_fire_method(array($this, $controller_method), $arguments);
    }

    /**
     * Fire Method
     *
     * Fires the designated controller method with the given arguments.
     *
     * @param array $method The controller method to fire
     * @param array $args The arguments to pass to the controller method
     */
    protected function _fire_method($method, $args)
    {
        call_user_func_array($method, $args);
    }

    /**
     * Response
     *
     * Takes pure data and optionally a status code, then creates the response.
     *
     * @param array $data
     * @param null|int $http_code
     */
    public function response($data = array(), $http_code = null)
    {
        global $CFG;

        // If data is empty and not code provide, error and bail
        if (empty($data) && $http_code === null)
        {
            $http_code = 404;

            // create the output variable here in the case of $this->response(array());
            $output = NULL;
        }

        // If data is empty but http code provided, keep the output empty
        else if (empty($data) && is_numeric($http_code))
        {
            $output = NULL;
        }

        // Otherwise (if no data but 200 provided) or some data, carry on camping!
        else
        {
            // Is compression requested?
            if ($CFG->item('compress_output') === TRUE && $this->_zlib_oc == FALSE)
            {
                if (extension_loaded('zlib'))
                {
                    if (isset($_SERVER['HTTP_ACCEPT_ENCODING']) AND strpos($_SERVER['HTTP_ACCEPT_ENCODING'], 'gzip') !== FALSE)
                    {
                        ob_start('ob_gzhandler');
                    }
                }
            }

            is_numeric($http_code) OR $http_code = 200;

            // If the format method exists, call and return the output in that format
            if (method_exists($this, '_format_' . $this->response->format))
            {
                // Set the correct format header
                header('Content-Type: ' . $this->_supported_formats[$this->response->format]);

                $output = $this->{'_format_' . $this->response->format}($data);
            }

            // If the format method exists, call and return the output in that format
            elseif (method_exists($this->format, 'to_' . $this->response->format))
            {
                // Set the correct format header
                header('Content-Type: ' . $this->_supported_formats[$this->response->format]);

                $output = $this->format->factory($data)->{'to_' . $this->response->format}();
            }

            // Format not supported, output directly
            else
            {
                $output = $data;
            }
        }

        header('HTTP/1.1: ' . $http_code);
        header('Status: ' . $http_code);

        // If zlib.output_compression is enabled it will compress the output,
        // but it will not modify the content-length header to compensate for
        // the reduction, causing the browser to hang waiting for more data.
        // We'll just skip content-length in those cases.
        if (!$this->_zlib_oc && !$CFG->item('compress_output'))
        {
            header('Content-Length: ' . strlen($output));
        }

        exit($output);
    }

    /*
     * Detect SSL use
     *
     * Detect whether SSL is being used or not
     */

    protected function _detect_ssl()
    {
        return (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == "on");
    }

    /*
     * Detect input format
     *
     * Detect which format the HTTP Body is provided in
     */

    protected function _detect_input_format()
    {
        if ($this->input->server('CONTENT_TYPE'))
        {
            // Check all formats against the HTTP_ACCEPT header
            foreach ($this->_supported_formats as $format => $mime)
            {
                if (strpos($match = $this->input->server('CONTENT_TYPE'), ';'))
                {
                    $match = current(explode(';', $match));
                }

                if ($match == $mime)
                {
                    return $format;
                }
            }
        }

        return NULL;
    }

    /**
     * Detect format
     *
     * Detect which format should be used to output the data.
     *
     * @return string The output format.
     */
    protected function _detect_output_format()
    {
        $pattern = '/\.(' . implode('|', array_keys($this->_supported_formats)) . ')$/';

        // Check if a file extension is used
        if (preg_match($pattern, $this->uri->uri_string(), $matches))
        {
            return $matches[1];
        }

        // Check if a file extension is used
        elseif ($this->_get_args AND !is_array(end($this->_get_args)) AND preg_match($pattern, end($this->_get_args), $matches))
        {
            // The key of the last argument
            $last_key = end(array_keys($this->_get_args));

            // Remove the extension from arguments too
            $this->_get_args[$last_key] = preg_replace($pattern, '', $this->_get_args[$last_key]);
            $this->_args[$last_key] = preg_replace($pattern, '', $this->_args[$last_key]);

            return $matches[1];
        }

        // A format has been passed as an argument in the URL and it is supported
        if (isset($this->_get_args['format']) AND array_key_exists($this->_get_args['format'], $this->_supported_formats))
        {
            return $this->_get_args['format'];
        }

        // Otherwise, check the HTTP_ACCEPT (if it exists and we are allowed)
        if ($this->config->item('rest_ignore_http_accept') === FALSE AND $this->input->server('HTTP_ACCEPT'))
        {
            // Check all formats against the HTTP_ACCEPT header
            foreach (array_keys($this->_supported_formats) as $format)
            {
                // Has this format been requested?
                if (strpos($this->input->server('HTTP_ACCEPT'), $format) !== FALSE)
                {
                    // If not HTML or XML assume its right and send it on its way
                    if ($format != 'html' AND $format != 'xml')
                    {

                        return $format;
                    }

                    // HTML or XML have shown up as a match
                    else
                    {
                        // If it is truly HTML, it wont want any XML
                        if ($format == 'html' AND strpos($this->input->server('HTTP_ACCEPT'), 'xml') === FALSE)
                        {
                            return $format;
                        }

                        // If it is truly XML, it wont want any HTML
                        elseif ($format == 'xml' AND strpos($this->input->server('HTTP_ACCEPT'), 'html') === FALSE)
                        {
                            return $format;
                        }
                    }
                }
            }
        } // End HTTP_ACCEPT checking
        // Well, none of that has worked! Let's see if the controller has a default
        if (!empty($this->rest_format))
        {
            return $this->rest_format;
        }

        // Just use the default format
        return config_item('rest_default_format');
    }

    /**
     * Detect method
     *
     * Detect which HTTP method is being used
     *
     * @return string
     */
    protected function _detect_method()
    {
        $method = strtolower($this->input->server('REQUEST_METHOD'));

        if ($this->config->item('enable_emulate_request'))
        {
            if ($this->input->post('_method'))
            {
                $method = strtolower($this->input->post('_method'));
            } elseif ($this->input->server('HTTP_X_HTTP_METHOD_OVERRIDE'))
            {
                $method = strtolower($this->input->server('HTTP_X_HTTP_METHOD_OVERRIDE'));
            }
        }

        if (in_array($method, $this->allowed_http_methods) && method_exists($this, '_parse_' . $method))
        {
            return $method;
        }

        return 'get';
    }

    /**
     * Detect API Key
     *
     * See if the user has provided an API key
     *
     * @return boolean
     */
    protected function _detect_api_key()
    {
        // Get the api key name variable set in the rest config file
        $api_key_variable = config_item('rest_key_name');

        // Work out the name of the SERVER entry based on config
        $key_name = 'HTTP_' . strtoupper(str_replace('-', '_', $api_key_variable));

        $this->rest->key = NULL;
        $this->rest->level = NULL;
        $this->rest->user_id = NULL;
        $this->rest->ignore_limits = FALSE;

        // Find the key from server or arguments
        if (($key = isset($this->_args[$api_key_variable]) ? $this->_args[$api_key_variable] : $this->input->server($key_name)))
        {
            if (!($row = $this->rest->db->where(config_item('rest_key_column'), $key)->get(config_item('rest_keys_table'))->row()))
            {
                return FALSE;
            }

            $this->rest->key = $row->{config_item('rest_key_column')};

            isset($row->user_id) AND $this->rest->user_id = $row->user_id;
            isset($row->level) AND $this->rest->level = $row->level;
            isset($row->ignore_limits) AND $this->rest->ignore_limits = $row->ignore_limits;

            /*
             * If "is private key" is enabled, compare the ip address with the list
             * of valid ip addresses stored in the database.
             */
            if (!empty($row->is_private_key))
            {
                // Check for a list of valid ip addresses
                if (isset($row->ip_addresses))
                {
                    // multiple ip addresses must be separated using a comma, explode and loop
                    $list_ip_addresses = explode(",", $row->ip_addresses);
                    $found_address = FALSE;

                    foreach ($list_ip_addresses as $ip_address)
                    {
                        if ($this->input->ip_address() == trim($ip_address))
                        {
                            // there is a match, set the the value to true and break out of the loop
                            $found_address = TRUE;
                            break;
                        }
                    }

                    return $found_address;
                } else
                {
                    // There should be at least one IP address for this private key.
                    return FALSE;
                }
            }

            return $row;
        }

        // No key has been sent
        return FALSE;
    }

    /**
     * Detect language(s)
     *
     * What language do they want it in?
     *
     * @return null|string The language code.
     */
    protected function _detect_lang()
    {
        if (!$lang = $this->input->server('HTTP_ACCEPT_LANGUAGE'))
        {
            return NULL;
        }

        // They might have sent a few, make it an array
        if (strpos($lang, ',') !== FALSE)
        {
            $langs = explode(',', $lang);

            $return_langs = array();
            $i = 1;
            foreach ($langs as $lang)
            {
                // Remove weight and strip space
                list($lang) = explode(';', $lang);
                $return_langs[] = trim($lang);
            }

            return $return_langs;
        }

        // Nope, just return the string
        return $lang;
    }

    /**
     * Log request
     *
     * Record the entry for awesomeness purposes
     *
     * @param boolean $authorized
     * @return object
     */
    protected function _log_request($authorized = FALSE)
    {
        return $this->rest->db->insert(config_item('rest_logs_table'), array(
                    'uri' => $this->uri->uri_string(),
                    'method' => $this->request->method,
                    'params' => $this->_args ? (config_item('rest_logs_json_params') ? json_encode($this->_args) : serialize($this->_args)) : null,
                    'api_key' => isset($this->rest->key) ? $this->rest->key : '',
                    'ip_address' => $this->input->ip_address(),
                    'time' => function_exists('now') ? now() : time(),
                    'authorized' => $authorized
                ));
    }

    /**
     * Limiting requests
     *
     * Check if the requests are coming in a tad too fast.
     *
     * @param string $controller_method The method being called.
     * @return boolean
     */
    protected function _check_limit($controller_method)
    {
        // They are special, or it might not even have a limit
        if (!empty($this->rest->ignore_limits) OR !isset($this->methods[$controller_method]['limit']))
        {
            // On your way sonny-jim.
            return TRUE;
        }

        // How many times can you get to this method an hour?
        $limit = $this->methods[$controller_method]['limit'];

        // Get data on a keys usage
        $result = $this->rest->db
                ->where('uri', $this->uri->uri_string())
                ->where('api_key', $this->rest->key)
                ->get(config_item('rest_limits_table'))
                ->row();

        // No calls yet, or been an hour since they called
        if (!$result OR $result->hour_started < time() - (60 * 60))
        {
            // Right, set one up from scratch
            $this->rest->db->insert(config_item('rest_limits_table'), array(
                'uri' => $this->uri->uri_string(),
                'api_key' => isset($this->rest->key) ? $this->rest->key : '',
                'count' => 1,
                'hour_started' => time()
            ));
        }

        // They have called within the hour, so lets update
        else
        {
            // Your luck is out, you've called too many times!
            if ($result->count >= $limit)
            {
                return FALSE;
            }

            $this->rest->db
                    ->where('uri', $this->uri->uri_string())
                    ->where('api_key', $this->rest->key)
                    ->set('count', 'count + 1', FALSE)
                    ->update(config_item('rest_limits_table'));
        }

        return TRUE;
    }

    /**
     * Auth override check
     *
     * Check if there is a specific auth type set for the current class/method
     * being called.
     *
     * @return boolean
     */
    protected function _auth_override_check()
    {

        // Assign the class/method auth type override array from the config
        $this->overrides_array = $this->config->item('auth_override_class_method');

        // Check to see if the override array is even populated, otherwise return false
        if (empty($this->overrides_array))
        {
            return false;
        }

        // Check to see if there's an override value set for the current class/method being called
        if (empty($this->overrides_array[$this->router->class][$this->router->method]))
        {
            return false;
        }

        // None auth override found, prepare nothing but send back a true override flag
        if ($this->overrides_array[$this->router->class][$this->router->method] == 'none')
        {
            return true;
        }

        // Basic auth override found, prepare basic
        if ($this->overrides_array[$this->router->class][$this->router->method] == 'basic')
        {
            $this->_prepare_basic_auth();
            return true;
        }

        // Digest auth override found, prepare digest
        if ($this->overrides_array[$this->router->class][$this->router->method] == 'digest')
        {
            $this->_prepare_digest_auth();
            return true;
        }

        // Whitelist auth override found, check client's ip against config whitelist
        if ($this->overrides_array[$this->router->class][$this->router->method] == 'whitelist')
        {
            $this->_check_whitelist_auth();
            return true;
        }

        // Return false when there is an override value set but it does not match
        // 'basic', 'digest', or 'none'. (the value was misspelled)
        return false;
    }

    /**
     * Parse GET
     */
    protected function _parse_get()
    {
        // Grab proper GET variables
        parse_str(parse_url($_SERVER['REQUEST_URI'], PHP_URL_QUERY), $get);

        // Merge both the URI segments and GET params
        $this->_get_args = array_merge($this->_get_args, $get);
    }

    /**
     * Parse POST
     */
    protected function _parse_post()
    {
        $this->_post_args = $_POST;

        $this->request->format and $this->request->body = file_get_contents('php://input');
    }

    /**
     * Parse PUT
     */
    protected function _parse_put()
    {
        // It might be a HTTP body
        if ($this->request->format)
        {
            $this->request->body = file_get_contents('php://input');
        }

        // If no file type is provided, this is probably just arguments
        else
        {
            parse_str(file_get_contents('php://input'), $this->_put_args);
        }
    }

    /**
     * Parse DELETE
     */
    protected function _parse_delete()
    {
        // Set up out DELETE variables (which shouldn't really exist, but sssh!)
        parse_str(file_get_contents('php://input'), $this->_delete_args);
    }

    // INPUT FUNCTION --------------------------------------------------------------

    /**
     * Retrieve a value from the GET request arguments.
     *
     * @param string $key The key for the GET request argument to retrieve
     * @param boolean $xss_clean Whether the value should be XSS cleaned or not.
     * @return string The GET argument value.
     */
    public function get($key = NULL, $xss_clean = TRUE)
    {
        if ($key === NULL)
        {
            return $this->_get_args;
        }

        return array_key_exists($key, $this->_get_args) ? $this->_xss_clean($this->_get_args[$key], $xss_clean) : FALSE;
    }

    /**
     * Retrieve a value from the POST request arguments.
     *
     * @param string $key The key for the POST request argument to retrieve
     * @param boolean $xss_clean Whether the value should be XSS cleaned or not.
     * @return string The POST argument value.
     */
    public function post($key = NULL, $xss_clean = TRUE)
    {
        if ($key === NULL)
        {
            return $this->_post_args;
        }

        return array_key_exists($key, $this->_post_args) ? $this->_xss_clean($this->_post_args[$key], $xss_clean) : FALSE;
    }

    /**
     * Retrieve a value from the PUT request arguments.
     *
     * @param string $key The key for the PUT request argument to retrieve
     * @param boolean $xss_clean Whether the value should be XSS cleaned or not.
     * @return string The PUT argument value.
     */
    public function put($key = NULL, $xss_clean = TRUE)
    {
        if ($key === NULL)
        {
            return $this->_put_args;
        }

        return array_key_exists($key, $this->_put_args) ? $this->_xss_clean($this->_put_args[$key], $xss_clean) : FALSE;
    }

    /**
     * Retrieve a value from the DELETE request arguments.
     *
     * @param string $key The key for the DELETE request argument to retrieve
     * @param boolean $xss_clean Whether the value should be XSS cleaned or not.
     * @return string The DELETE argument value.
     */
    public function delete($key = NULL, $xss_clean = TRUE)
    {
        if ($key === NULL)
        {
            return $this->_delete_args;
        }

        return array_key_exists($key, $this->_delete_args) ? $this->_xss_clean($this->_delete_args[$key], $xss_clean) : FALSE;
    }

    /**
     * Process to protect from XSS attacks.
     *
     * @param string $val The input.
     * @param boolean $process Do clean or note the input.
     * @return string
     */
    protected function _xss_clean($val, $process)
    {
        if (CI_VERSION < 2)
        {
            return $process ? $this->input->xss_clean($val) : $val;
        }

        return $process ? $this->security->xss_clean($val) : $val;
    }

    /**
     * Retrieve the validation errors.
     *
     * @return array
     */
    public function validation_errors()
    {
        $string = strip_tags($this->form_validation->error_string());

        return explode("\n", trim($string, "\n"));
    }

    // SECURITY FUNCTIONS ---------------------------------------------------------

    /**
     * Perform LDAP Authentication
     *
     * @param string $username The username to validate
     * @param string $password The password to validate
     * @return boolean
     */
    protected function _perform_ldap_auth($username = '', $password = NULL)
    {
        if (empty($username))
        {
            log_message('debug', 'LDAP Auth: failure, empty username');
            return false;
        }

        log_message('debug', 'LDAP Auth: Loading Config');

        $this->config->load('ldap.php', true);

        $ldaptimeout = $this->config->item('timeout', 'ldap');
        $ldaphost = $this->config->item('server', 'ldap');
        $ldapport = $this->config->item('port', 'ldap');
        $ldaprdn = $this->config->item('binduser', 'ldap');
        $ldappass = $this->config->item('bindpw', 'ldap');
        $ldapbasedn = $this->config->item('basedn', 'ldap');

        log_message('debug', 'LDAP Auth: Connect to ' . $ldaphost);

        $ldapconfig['authrealm'] = $this->config->item('domain', 'ldap');

        // connect to ldap server
        $ldapconn = ldap_connect($ldaphost, $ldapport);

        if ($ldapconn)
        {

            log_message('debug', 'Setting timeout to ' . $ldaptimeout . ' seconds');

            ldap_set_option($ldapconn, LDAP_OPT_NETWORK_TIMEOUT, $ldaptimeout);

            log_message('debug', 'LDAP Auth: Binding to ' . $ldaphost . ' with dn ' . $ldaprdn);

            // binding to ldap server
            $ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);

            // verify binding
            if ($ldapbind)
            {
                log_message('debug', 'LDAP Auth: bind successful');
            } else
            {
                log_message('error', 'LDAP Auth: bind unsuccessful');
                return false;
            }
        }

        // search for user
        if (($res_id = ldap_search($ldapconn, $ldapbasedn, "uid=$username")) == false)
        {
            log_message('error', 'LDAP Auth: User ' . $username . ' not found in search');
            return false;
        }

        if (ldap_count_entries($ldapconn, $res_id) != 1)
        {
            log_message('error', 'LDAP Auth: failure, username ' . $username . 'found more than once');
            return false;
        }

        if (( $entry_id = ldap_first_entry($ldapconn, $res_id)) == false)
        {
            log_message('error', 'LDAP Auth: failure, entry of searchresult could not be fetched');
            return false;
        }

        if (( $user_dn = ldap_get_dn($ldapconn, $entry_id)) == false)
        {
            log_message('error', 'LDAP Auth: failure, user-dn could not be fetched');
            return false;
        }

        // User found, could not authenticate as user
        if (($link_id = ldap_bind($ldapconn, $user_dn, $password)) == false)
        {
            log_message('error', 'LDAP Auth: failure, username/password did not match: ' . $user_dn);
            return false;
        }

        log_message('debug', 'LDAP Auth: Success ' . $user_dn . ' authenticated successfully');

        $this->_user_ldap_dn = $user_dn;
        ldap_close($ldapconn);
        return true;
    }

    /**
     * Check if the user is logged in.
     *
     * @param string $username The user's name
     * @param string $password The user's password
     * @return boolean
     */
    protected function _check_login($username = '', $password = NULL)
    {
        if (empty($username))
        {
            return FALSE;
        }

        $auth_source = strtolower($this->config->item('auth_source'));

        if ($auth_source == 'ldap')
        {
            log_message('debug', 'performing LDAP authentication for $username');
            return $this->_perform_ldap_auth($username, $password);
        }

        $valid_logins = & $this->config->item('rest_valid_logins');

        if (!array_key_exists($username, $valid_logins))
        {
            return FALSE;
        }

        // If actually NULL (not empty string) then do not check it
        if ($password !== NULL AND $valid_logins[$username] != $password)
        {
            return FALSE;
        }

        return TRUE;
    }

    /**
     * @todo document this.
     */
    protected function _prepare_basic_auth()
    {
        // If whitelist is enabled it has the first chance to kick them out
        if (config_item('rest_ip_whitelist_enabled'))
        {
            $this->_check_whitelist_auth();
        }

        $username = NULL;
        $password = NULL;

        // mod_php
        if ($this->input->server('PHP_AUTH_USER'))
        {
            $username = $this->input->server('PHP_AUTH_USER');
            $password = $this->input->server('PHP_AUTH_PW');
        }

        // most other servers
        elseif ($this->input->server('HTTP_AUTHENTICATION'))
        {
            if (strpos(strtolower($this->input->server('HTTP_AUTHENTICATION')), 'basic') === 0)
            {
                list($username, $password) = explode(':', base64_decode(substr($this->input->server('HTTP_AUTHORIZATION'), 6)));
            }
        }

        if (!$this->_check_login($username, $password))
        {
            $this->_force_login();
        }
    }

    /**
     * @todo Document this.
     */
    protected function _prepare_digest_auth()
    {
        // If whitelist is enabled it has the first chance to kick them out
        if (config_item('rest_ip_whitelist_enabled'))
        {
            $this->_check_whitelist_auth();
        }

        $uniqid = uniqid(""); // Empty argument for backward compatibility
        // We need to test which server authentication variable to use
        // because the PHP ISAPI module in IIS acts different from CGI
        if ($this->input->server('PHP_AUTH_DIGEST'))
        {
            $digest_string = $this->input->server('PHP_AUTH_DIGEST');
        } elseif ($this->input->server('HTTP_AUTHORIZATION'))
        {
            $digest_string = $this->input->server('HTTP_AUTHORIZATION');
        } else
        {
            $digest_string = "";
        }

        // The $_SESSION['error_prompted'] variable is used to ask the password
        // again if none given or if the user enters wrong auth information.
        if (empty($digest_string))
        {
            $this->_force_login($uniqid);
        }

        // We need to retrieve authentication informations from the $auth_data variable
        preg_match_all('@(username|nonce|uri|nc|cnonce|qop|response)=[\'"]?([^\'",]+)@', $digest_string, $matches);
        $digest = array_combine($matches[1], $matches[2]);

        if (!array_key_exists('username', $digest) OR !$this->_check_login($digest['username']))
        {
            $this->_force_login($uniqid);
        }

        $valid_logins = & $this->config->item('rest_valid_logins');
        $valid_pass = $valid_logins[$digest['username']];

        // This is the valid response expected
        $A1 = md5($digest['username'] . ':' . $this->config->item('rest_realm') . ':' . $valid_pass);
        $A2 = md5(strtoupper($this->request->method) . ':' . $digest['uri']);
        $valid_response = md5($A1 . ':' . $digest['nonce'] . ':' . $digest['nc'] . ':' . $digest['cnonce'] . ':' . $digest['qop'] . ':' . $A2);

        if ($digest['response'] != $valid_response)
        {
            header('HTTP/1.0 401 Unauthorized');
            header('HTTP/1.1 401 Unauthorized');
            exit;
        }
    }

    /**
     * Check if the client's ip is in the 'rest_ip_whitelist' config
     */
    protected function _check_whitelist_auth()
    {
        $whitelist = explode(',', config_item('rest_ip_whitelist'));

        array_push($whitelist, '127.0.0.1', '0.0.0.0');

        foreach ($whitelist AS &$ip)
        {
            $ip = trim($ip);
        }

        if (!in_array($this->input->ip_address(), $whitelist))
        {
//            $this->response(array('status' => false, 'error' => 'Not authorized'), 401);
            $this->response(array('status' => 'failed', 'code' => '401', 'message' => 'Not authorized.'), 401);
        }
    }

    /**
     * @todo Document this.
     *
     * @param string $nonce
     */
    protected function _force_login($nonce = '')
    {
        if ($this->config->item('rest_auth') == 'basic')
        {
            header('WWW-Authenticate: Basic realm="' . $this->config->item('rest_realm') . '"');
        } elseif ($this->config->item('rest_auth') == 'digest')
        {
            header('WWW-Authenticate: Digest realm="' . $this->config->item('rest_realm') . '", qop="auth", nonce="' . $nonce . '", opaque="' . md5($this->config->item('rest_realm')) . '"');
        }

//        $this->response(array('status' => false, 'error' => 'Not authorized'), 401);
        $this->response(array('status' => 'failed', 'code' => '401', 'message' => 'Not authorized.'), 401);
    }

    /**
     * Force it into an array
     *
     * @param object|array $data
     * @return array
     */
    protected function _force_loopable($data)
    {
        // Force it to be something useful
        if (!is_array($data) AND !is_object($data))
        {
            $data = (array) $data;
        }

        return $data;
    }

    // FORMATING FUNCTIONS ---------------------------------------------------------
    // Many of these have been moved to the Format class for better separation, but these methods will be checked too

    /**
     * Encode as JSONP
     *
     * @param array $data The input data.
     * @return string The JSONP data string (loadable from Javascript).
     */
    protected function _format_jsonp($data = array())
    {
        return $this->get('callback') . '(' . json_encode($data) . ')';
    }
}
